Description
Amazon SageMaker Python SDK before v3.1.1 or v2.256.0 disables TLS certificate verification for HTTPS connections made by the service when a Triton Python model is imported, incorrectly allowing for requests with invalid and self-signed certificates to succeed.
References (4)
Core 4
Core References
Various Sources vendor-advisory
https://aws.amazon.com/security/security-bulletins/2026-004-AWS/
Vendor Advisory third-party-advisory
https://github.com/aws/sagemaker-python-sdk/security/advisories/GHSA-62rc-f4v9-h543
Release Notes patch
https://github.com/aws/sagemaker-python-sdk/releases/tag/v3.1.1
Release Notes patch
https://github.com/aws/sagemaker-python-sdk/releases/tag/v2.256.0
Scores
CVSS v3
5.9
EPSS
0.0024
EPSS Percentile
15.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-295
Status
published
Products (3)
AWS/SageMaker Python SDK
2.256.0
AWS/SageMaker Python SDK
3.1.1
pypi/sagemaker
3.0 - 3.1.1PyPI
Published
Feb 02, 2026
Tracked Since
Feb 18, 2026